1Password 4 for Mac brings upgraded security and Wi-Fi sync

AgileBits aims to prevent "attacks that haven't even been dreamt of yet."

AgileBits today released 1Password 4 on the Mac App Store, a major upgrade to one of the best-known password management applications.

The application has a new design and various features aimed at making it easier to use, such as a menu bar utility. It also brings back Wi-Fi Sync, which lets users sync password data from a Mac to an iOS device without storing their encrypted keychain in Dropbox or iCloud.

AgileBits described security improvements including a new keychain design with 256-bit AES encryption keys and data integrity checks that increase resistance to tampering. The design "forestalls many attacks that haven’t even been dreamt of yet," AgileBits said. 1Password 4 development was helped along by 20,000 beta testers.

1Password 4's launch price is $39.99 on the Mac App Store, a price that will rise to $49.99. However, anyone who ever purchased 1Password 3 on the Mac App Store can upgrade for free.

1Password 4 will also be available on the AgileBits website in a day or two. Anyone who bought 1Password 3 directly from AgileBits in 2013 will get version 4 for free. Anyone who bought before 2013 can upgrade for $24.99 at launch. That will be increased to 1Password's regular upgrade pricing of $34.99 later on.

1Password has a Windows application too, but that hasn't been upgraded.

In general terms, password managers like 1Password automatically fill in your usernames and passwords across any website, automatically generating passwords that are far more secure than most people can remember. Your keychain is protected by a single master password, the only one you have to remember.

Password managers are popular tools among security experts, but they should be considered by anyone who uses the Internet. As noted, there are numerous options beyond 1Password. The important thing is finding one you're comfortable with and using it to replace all your simple passwords with long strings of random characters that can resist the password cracking tools used by criminals.

Promoted Comments

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

1Password 4's launch price is $39.99 on the Mac App Store, a price that will rise to $49.99. However, anyone who ever purchased 1Password 3 on the Mac App Store can upgrade for free.

1Password 4 will also be available on the AgileBits website in a day or two. Anyone who bought 1Password 3 directly from AgileBits in 2013 will get version 4 for free. Anyone who bought before 2013 can upgrade for $24.99 at launch. That will be increased to 1Password's regular upgrade pricing of $34.99 later on.

So if I bought from the Mac App store it is free, but if I bought directly from them it is $25 bucks, $35 if I don't upgrade right away?That is disappointing.

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

What do you mean by "LastPass integration"? 1Password syncs with dropbox (and maybe iCloud?). There is also an app for iOS and a read-only app for Android. I used to use LastPass and moved to 1Password. No regrets really. They both have web pages that they fail on, but neither seems dramatically better than the other and the UI on 1Password is much better and you have more control over your encrypted blob.

I'm convinced that using a password manager is a good thing, but I can't bring myself to use a closed source solution with a closed format... And, as far as I know, I found no proof that 1Password is without hidden features.

The best alternative I found for OS X seems to be MacPass, a Keepass port, but it's still a bit rough on the edges. Does anyone have any more advice about this? Thanks in advance.

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

I'm glad they restored wifi sync. Their attitude towards local syncing vs the cloud was truly bizarre and forced me to downgrade to their previous product that wasn't crippled and supported that feature.

That said, the previous version supports the feature that is most compelling in this "upgrade".

Asking us to pay $25 for for this is just wrong and I will be passing.

Sorry, if I had stuck with them over the past two years I would have been spending over $75 or so on these upgrades between iOS and Mac versions. Not to mention that they screwed over their customers that bought a version, then they said their "new" versions were going to be on the app store from then on...or it may have been reversed from that, I forget which, but it pissed me off so much back then that they were nickle-and-diming me, so I dumped them.

LastPass cost me like 9 bucks. Works nearly EVERYWHERE, has 2-factor authentication, Works on iOS, Android, Mac, PC, WebOS, Blackberry etc etc. It syncs everywhere to those devices. I'm sure this upgrade to 1Password is all nice and everything, but not enough to get me to switch back.

The official iCloud sync support is only provided in the MAS version, we just can't confirm the same for the website version as that's up to Apple.

Beside the iCloud sync, auto-submit tool will be required to be installed separately for the MAS version (more details will be explained later), the data paths will be different, the website initially won't be sandboxed among other minor changes that don't impact the overall use of 1Password. I've asked the docs team to write up a detailed list and we'll add it to our KB as soon as possible.

For new customers, a minor inconvenience of installing auto-submit tool is outweighed by iCloud sync (much faster sync, especially if you use iOS counterpart). It seems MAS version is the way to go.

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

Well, for those of us who aren't on a Stallman-inspired mouth-frothing rant about the source, 1Password actually is pretty useful. I paid for the upgrade on iOS but got the upgrade for free on OS X... I'll call that a wash for some new features that I like.

The new security audit is showing me that I need to do a better job of picking, updating, and differentiating my passwords; I've grown far to complacent. I'd heard a rumour that Dropbox was been deprecated, but it looks like that was just for the 3.0 on iOS as Dropbox changed their API.

I have to say I like the new look; it's cleaner and the addition of crisper icons for individual sites goes a long way. I like the way identities works too; Safari's Auto-fill can be hit or miss.

I'm pleased to see it's already Mavericks-compliant too. It'll make the move this month that much easier.

1Password 4's launch price is $39.99 on the Mac App Store, a price that will rise to $49.99. However, anyone who ever purchased 1Password 3 on the Mac App Store can upgrade for free.

1Password 4 will also be available on the AgileBits website in a day or two. Anyone who bought 1Password 3 directly from AgileBits in 2013 will get version 4 for free. Anyone who bought before 2013 can upgrade for $24.99 at launch. That will be increased to 1Password's regular upgrade pricing of $34.99 later on.

So if I bought from the Mac App store it is free, but if I bought directly from them it is $25 bucks, $35 if I don't upgrade right away?That is disappointing.

That's the result of Apple's rather firm rules about upgrading pricing... in that their is none. 1Password is one program that requires a lot of development, and their payment model is pretty traditional. You buy the app, and as features are released you pay for upgrades.

In general, most customers wanted to get the Mac app store version and who already had the version outside the mac app store had no choice but to buy into the new version. One option that AgileBits could use is what they did with the iOS app, and that's to have a 1Password v3 app and a separate 1password v4 (two entries in the App store). The problem with this is that their Mac App Store 1Password v3 was very recently added and they already made a bunch of existing customers have to re-buy the app in the mac app store, so essentially most users already paid for an "upgrade". Buying the Mac App store version gives you access to APIs that aren't available to developers if you sell outside the mac app store, so that's why they did it.

This is simply a reason, not an excuse. Developers need to be paid, and they want to remain firmly in the Mac ecosystem and take advantage of all they can, so when they did they ran headlong into the Apple Closed Garden. However since 1Password is a well known amongst self employeed Apple users and power users, most of their customers are repeat customers. Only a very few customers, like myself, got the bonus of buying the Mac app store version and never bought the non Mac app store version, and most everyone else has paid about the same amount of money already up to this point.

And yet... much of this is moot because there's a very good chance that 1Password is going to get "sherlocked" in the coming months when Mac OS 10.9 is released.

I own 1Password, and I like it, with one caveat: it doesn't automatically recognize if it has already saved a login/password for a site. So every time I visit my online banking, for example, it asks me if I want to save that login and password, even though that exact web address's login and password is already saved in 1Password. It drives me nuts.

1Password is a free update on Mac App Store because they announced it would be when they first moved 1Password 3 into the Mac App Store. They were getting questions from people that already owned 1Password 3 why they should rebuy 1Password. Mac App Store purchasers were promised a free upgrade to 4:

That promise was made in 2011 and I suspect 4 took much longer to release than they wanted, but they stood by their promise. That's good business. I would not expect 1Password 5 to be a free update in Mac App Store for anyone (their 1Password 4 iOS upgrade was a paid upgrade)

1Password 4 is free if you've bought 3 anytime in the last 9 months. That's a much longer than most free upgrade windows most developers provide (it's usually a month or 2, so this is significantly longer.)

I hope the Windows version gets a major overhaul soon, it's functional but not nearly as nice as the Mac and iOS versions.

1Password 4's launch price is $39.99 on the Mac App Store, a price that will rise to $49.99. However, anyone who ever purchased 1Password 3 on the Mac App Store can upgrade for free.

1Password 4 will also be available on the AgileBits website in a day or two. Anyone who bought 1Password 3 directly from AgileBits in 2013 will get version 4 for free. Anyone who bought before 2013 can upgrade for $24.99 at launch. That will be increased to 1Password's regular upgrade pricing of $34.99 later on.

So if I bought from the Mac App store it is free, but if I bought directly from them it is $25 bucks, $35 if I don't upgrade right away?That is disappointing.

That's the result of Apple's rather firm rules about upgrading pricing... in that their is none. 1Password is one program that requires a lot of development, and their payment model is pretty traditional. You buy the app, and as features are released you pay for upgrades.

In general, most customers wanted to get the Mac app store version and who already had the version outside the mac app store had no choice but to buy into the new version. One option that AgileBits could use is what they did with the iOS app, and that's to have a 1Password v3 app and a separate 1password v4 (two entries in the App store). The problem with this is that their Mac App Store 1Password v3 was very recently added and they already made a bunch of existing customers have to re-buy the app in the mac app store, so essentially most users already paid for an "upgrade". Buying the Mac App store version gives you access to APIs that aren't available to developers if you sell outside the mac app store, so that's why they did it.

This is simply a reason, not an excuse. Developers need to be paid, and they want to remain firmly in the Mac ecosystem and take advantage of all they can, so when they did they ran headlong into the Apple Closed Garden. However since 1Password is a well known amongst self employeed Apple users and power users, most of their customers are repeat customers. Only a very few customers, like myself, got the bonus of buying the Mac app store version and never bought the non Mac app store version, and most everyone else has paid about the same amount of money already up to this point.

And yet... much of this is moot because there's a very good chance that 1Password is going to get "sherlocked" in the coming months when Mac OS 10.9 is released.

I understand why it is that way, but all that tells me is that from now on I'm only purchasing their software through the Apple App Store. If I decide to stay with them I will pay the extra money now to repurchase through Apple to know I won't have to pay for updates in the future.

It was annoying enough that I had to purchase a separate license to use it on my Windows partition of the same computer, then I had to purchase the 2nd iOS app because they stopped updating the first one, etc. I don't mind paying for software or updates, but there is a limit to what I am willing to do for one piece of software where cheaper alternatives do exist.

I'm convinced that using a password manager is a good thing, but I can't bring myself to use a closed source solution with a closed format... And, as far as I know, I found no proof that 1Password is without hidden features.

The best alternative I found for OS X seems to be MacPass, a Keepass port, but it's still a bit rough on the edges. Does anyone have any more advice about this? Thanks in advance.

While 1Password isn't open source, the company extensively discusses all the security decisions it makes and the rationale behind them. Their blog is actually quite interesting reading for people wanting to learn about security and encryption.

I own 1Password, and I like it, with one caveat: it doesn't automatically recognize if it has already saved a login/password for a site. So every time I visit my online banking, for example, it asks me if I want to save that login and password, even though that exact web address's login and password is already saved in 1Password.

I'm using it for five different financial sites, and don't have that problem at all. However, visiting some other sites yields the behavior you describe.

I suspect those sites are always changing something that makes 1Password think it is an entirely new authentication page (they are often accompanied with a convoluted URL that is never the same twice). I'd be curious to see how other password managers deal with that problem in a side-by-side comparison.

Well, for those of us who aren't on a Stallman-inspired mouth-frothing rant about the source, 1Password actually is pretty useful. I paid for the upgrade on iOS but got the upgrade for free on OS X... I'll call that a wash for some new features that I like.

I'm not sure caricatural insults is a good way to discuss the reliability of a piece of software... It was an honest question: closed source is a good way to hide unwanted features inside a program, so it's legitimate to enquire about it beforehands.

At the very least, with a program dealing with password security, I'd like to know whether I can make sure, for example, that it never phones home (or any site), or how strongly the save file is protected, etc.

I own 1Password, and I like it, with one caveat: it doesn't automatically recognize if it has already saved a login/password for a site. So every time I visit my online banking, for example, it asks me if I want to save that login and password, even though that exact web address's login and password is already saved in 1Password.

I'm using it for five different financial sites, and don't have that problem at all. However, visiting some other sites yields the behavior you describe.

I suspect those sites are always changing something that makes 1Password think it is an entirely new authentication page (they are often accompanied with a convoluted URL that is never the same twice). I'd be curious to see how other password managers deal with that problem in a side-by-side comparison.

I think you're right about that.

However, I can tell you for an absolute fact that both Safari and Chrome, when set to remember the various site's passwords, never ask me to save again what I have already saved. They do what I want them to do: fill in the password information. I have rarely if ever encountered a site that either of those two browsers couldn't reliably save a password to.

I'm not sure, from a technical standpoint, why 1Password can't do the same.

I also bought the App Store version 3, and when I heard 4 was coming out I was already prepared to spend the ~$39 to buy the new version and was surprised that it was a free upgrade.

For me it is my most used software outside of the OS/Outlook/Safari, so I have no issue what so ever with paying for it. AgileBits do a really good job with all their apps and I want them to keep it up, the price they ask for the software is not great considering I use it 20-30 times a day and it goes a long, long way to ensuring I use different passwords for everything.

1password is expensive but I find it's worth it in terms of security and peace of mind. Very glad I bought it for mac and my iPhone.

I hope they've simplified it a bit in v4 - as a newbie starting with v3 I found the number of options exposed quite overwhelming and I'm an experienced techie. As for the wife/girlfriend/grandparents, forget it. This is why I'm not reccomending it to them. Something like a basic / advanced mode would help.

Also, while I'm here, in edit mode it seems a bit too easy to accidentally overwrite saved passwords. I always get a bit nervous when I enter edit mode to update a name or something, or when I'm generating a new password to replace an old one (ie after pw generation but before the website has confirmed it accepts the new pw. A mistake here could leave you locked out of your account with no valid pw, which is a nightmare if its a bank website.)

i moved away from last pass some time ago to keepass (v1 not v2, as i prefer been able to see the password been generated on the same page V2 puts the generated password on second tab i think, also at the time the Android keepass app did not like V2 much)

lastpass has some nice features though like if your email is on a compromise list lastpass will email you, also has the how good is your password page somewhere

Hmmm...could Ars put together a good review & general technical & security overview of a variety of these password managers? I'm somewhat thinking I might want to finally go ahead and get one of these so I could have one very strong password, and then an individual password for each and every service I use. Maybe get together with Steve Gibson or other great security researcher and come up with a vetted list of password managers that actually have a good implementation.

Closed source with no portable nor open format database . Not really cross platform and offers a private cloud solution

Why people use this?

The database format is individual JSON files for each item in the database. Not very hard to parse in the catastrophic event that the application would suddenly start to work and that all backup copies of the app would cease to work. 1Password can also export a .pif file that contains a very similar JSON structure but with all fields decrypted, it looks something like this:

I own 1Password, and I like it, with one caveat: it doesn't automatically recognize if it has already saved a login/password for a site. So every time I visit my online banking, for example, it asks me if I want to save that login and password, even though that exact web address's login and password is already saved in 1Password.

I'm using it for five different financial sites, and don't have that problem at all. However, visiting some other sites yields the behavior you describe.

I suspect those sites are always changing something that makes 1Password think it is an entirely new authentication page (they are often accompanied with a convoluted URL that is never the same twice). I'd be curious to see how other password managers deal with that problem in a side-by-side comparison.

I think you're right about that.

However, I can tell you for an absolute fact that both Safari and Chrome, when set to remember the various site's passwords, never ask me to save again what I have already saved. They do what I want them to do: fill in the password information. I have rarely if ever encountered a site that either of those two browsers couldn't reliably save a password to.

I'm not sure, from a technical standpoint, why 1Password can't do the same.

Might be worth checking to see if the URL stored in 1Password is from a registration page, as some sites put those on a separate subdomain (e.g. register.site.com) and 1P definitely uses the entire domain from the URL when it does a comparison.

...both Safari and Chrome, when set to remember the various site's passwords, never ask me to save again what I have already saved. They do what I want them to do: fill in the password information. I have rarely if ever encountered a site that either of those two browsers couldn't reliably save a password to.

I'm not sure, from a technical standpoint, why 1Password can't do the same.

Puzzling indeed. If Safari and Chrome serve your needs then you might as well stick with their offerings (and 10.9 should improve on Apple's built-in manager). Otherwise if you're willing to invest the time you might contact Agile to see what's going on.

[Personal aside: I was reluctant to purchase and install a password manager for years (Pfft! I can handle this myself!) but I got 1Password as part of a software bundle and first started using it for non-critical logins (UPS, library account, etc.) Later on after I understood its behavior (and I still don't agree with all of their design decisions) I commited the rest of my logins to it. I frequently export all my data and review it to make sure I don't have stale or incorrect information buried in there, but I also do this to convince myself that I still have everything I need to go back to manual operation if something bad happens. Meanwhile, it has become indespensible for my day-to-day web logins, so I'm sticking with it.]